502 Bad gateway error when behind cloudflare tunnel

Nextcloud version: Nextcloud Hub 4
Operating system and version: Linux 5.15.107-1-pve x86_64
PHP version (eg, 7.4): 8.1.17

The issue you are facing:

I am trying to get cloudflare tunnel working with my nextcloud instance. I am running both cloudflare and nextcloud in their own lxc containers running on Proxmox.

I can access the nextcloud instance on the local network with no problem but trying to access it via the cloudflare tunnel domain gives me a 502 error.

The output of your Nextcloud log in Admin > Logging:

{"reqId":"cCVAFQ2l4o3OOcWkltnn","level":3,"time":"2023-07-08T09:19:11+00:00","remoteAddr":"192.168.2.1","user":"admin","app":"PHP","method":"GET","url":"/index.php/settings/admin","message":"Undefined array key \"mail_smtpauthtype\" at /var/www/nextcloud/apps/settings/templates/settings/admin/additional-mail.php#132","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15","version":"26.0.0.11","data":{"app":"PHP"},"id":"64a92d3c60724"}

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'passwordsalt' => '',
  'secret' =>'',
  'trusted_domains' => 
  array (
    0 => 'localhost',
    1 => 'cloud.removed.com',
  ),
  'datadirectory' => '/var/www/nextcloud-data',
  'dbtype' => 'mysql',
  'version' => '26.0.0.11',
  'overwrite.cli.url' => 'http://localhost',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => '',
  'installed' => true,
  'instanceid' => '073f4b461b966',
  'memcache.local' => '\OC\Memcache\Redis',
  'redis' => array(
      'host' => '/var/run/redis/redis.sock',
      'port' => 0,
      'timeout' => 0.0
  ),
  'filelocking.enabled' => true,
  'memcache.locking' => '\OC\Memcache\Redis',
);

The output of your Apache/nginx/system log in /var/log/____:

[Sat Jul 08 09:10:48.946990 2023] [ssl:error] [pid 1689] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=nextcloud / issuer: CN=nextcloud / serial: 7A2056CD900B46965C5F7DC956FAEE6685449907 / notbefore: Jul  8 09:10:48 2023 GMT / notafter: Jul  8 09:10:48 2033 GMT]
[Sat Jul 08 09:10:48.946994 2023] [ssl:error] [pid 1689] AH02604: Unable to configure certificate localhost:12322:0 for stapling
[Sat Jul 08 09:10:48.976120 2023] [ssl:warn] [pid 1697] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
[Sat Jul 08 09:10:48.976190 2023] [ssl:error] [pid 1697] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=nextcloud / issuer: CN=nextcloud / serial: 7A2056CD900B46965C5F7DC956FAEE6685449907 / notbefore: Jul  8 09:10:48 2023 GMT / notafter: Jul  8 09:10:48 2033 GMT]
[Sat Jul 08 09:10:48.976195 2023] [ssl:error] [pid 1697] AH02604: Unable to configure certificate localhost:443:0 for stapling
[Sat Jul 08 09:10:48.976344 2023] [ssl:warn] [pid 1697] AH01909: localhost:12322:0 server certificate does NOT include an ID which matches the server name
[Sat Jul 08 09:10:48.976398 2023] [ssl:error] [pid 1697] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=nextcloud / issuer: CN=nextcloud / serial: 7A2056CD900B46965C5F7DC956FAEE6685449907 / notbefore: Jul  8 09:10:48 2023 GMT / notafter: Jul  8 09:10:48 2033 GMT]
[Sat Jul 08 09:10:48.976402 2023] [ssl:error] [pid 1697] AH02604: Unable to configure certificate localhost:12322:0 for stapling
[Sat Jul 08 09:10:48.979328 2023] [mpm_prefork:notice] [pid 1697] AH00163: Apache/2.4.56 (Debian) OpenSSL/1.1.1n configured -- resuming normal operations
[Sat Jul 08 09:10:48.979343 2023] [core:notice] [pid 1697] AH00094: Command line: '/usr/sbin/apache2'

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

{"reqId":"cCVAFQ2l4o3OOcWkltnn","level":3,"time":"2023-07-08T09:19:11+00:00","remoteAddr":"192.168.2.1","user":"admin","app":"PHP","method":"GET","url":"/index.php/settings/admin","message":"Undefined array key \"mail_smtpauthtype\" at /var/www/nextcloud/apps/settings/templates/settings/admin/additional-mail.php#132","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15","version":"26.0.0.11","data":{"app":"PHP"}}

Did you carefully read this? Protecting NextCloud behind CloudFlare Firewall and Anti-DDoS - Autoize

I hope that helps.
Much luck

I tried the above but still getting s 502 Bad gateway error.

HI.

Your apache error log reveals the issue. TLS certificate issues.

Client browser (HTTPS begin) → (Public internet) → Cloudflare (CF) Public IP → Cloudflare Reverse Proxy (HTTPS termination) → Backend Stream Connection on tunnel network (HTTPS begin) → Your cloudflare component → Your own Apache (HTTPS termination).

When a client go to your domain on HTTPS, the client browser has a vendor managed/decided list of trusted certificate providers. When it hits the Cloudflare frontent (the cloudflare public IP), the certificate recieved by the client browser, is the certificate provided by cloudflare. That one certificate matches the url which the client is requesting (cn=yourdomain.tld). That certificate is also signed by a trusted certificate provider. The image you uploaded also reflects this. The trafic is ok from the Client to Cloudflare where the certificate is terminated. From that step, Cloudflare is initiating a new connection to your Apache webserver, on HTTPS. This requires a TLS certificate which:
a: CN matches the domain/IP of the configured URL/host which you set in Cloudflare.
b: To be issued by a trusted provider for you both your Apache machine and Cloudflare (unless ticking off the box for trusting selfsigned on Cloudflare side).
You can test this by turning off HTTPS on your own side (Apache and nextcloud config and use HTTP), and remember to correct it on Cloudflare backend stream to use HTTP instead of HTTPS.

1 Like

@Kerasit Thanks for the tip. I managed to solve the issue by setting No TLS Verify on cloudflare.